SIEM Operations
Overview
This documentation provides vendor-agnostic SIEM operations guidance with platform-specific implementations for:
-
IBM QRadar - AQL queries, threat hunts, playbooks
-
Microsoft Sentinel - KQL queries, workbooks, analytics rules
-
Wazuh - Open source SIEM/XDR rules and configuration
-
Splunk - SPL queries and dashboards (future)
Quick Links
| Platform | Primary Use Case | Query Language |
|---|---|---|
Enterprise SIEM, threat hunting |
AQL (Ariel Query Language) |
|
Cloud-native SIEM, Azure integration |
KQL (Kusto Query Language) |
|
Open source SIEM/XDR |
OSSEC Rules / Wazuh API |
|
Enterprise SIEM, IT operations |
SPL (Search Processing Language) |
Core Concepts
All SIEM platforms share common concepts:
-
Log Sources - Data inputs (syslog, Windows Events, cloud logs)
-
Normalization - Mapping diverse formats to common schema
-
Correlation - Linking related events across sources
-
Detection Rules - Identifying threats and anomalies
-
Response - Automated or manual incident handling
See SIEM Fundamentals for platform-agnostic guidance.
Repository Structure
domus-siem-ops/
├── concepts/ # Vendor-agnostic SIEM concepts
├── qradar/ # IBM QRadar
│ ├── queries/ # AQL query library
│ ├── hunts/ # Threat hunting procedures
│ ├── playbooks/ # IR playbooks
│ └── reference/ # AQL reference docs
├── sentinel/ # Microsoft Sentinel
├── wazuh/ # Wazuh SIEM/XDR
├── splunk/ # Splunk (future)
└── migrations/ # Platform migration guides